I’m teaching a class at Syracuse University Law School this week as part of a partnership between the law school and the New York State Bar Association. My colleague, Kevin Ryan, the Executive Director of the Monroe County Bar Association, is teaching the class with me, and we’ll be talking to the students about lawyers and cybersecurity. As a result, I’ve got cybersecurity on my mind.
And I’m not the only one. Cybersecurity is an issue that has become of paramount importance in recent years in the wake of large scale breaches, like the Equifax and Capitol One data breaches.
No doubt your firm has already taken steps to protect your its data. If so, your firm isn’t alone. Most firms already have some cybersecurity measures in place, as I discussed in this post from last April. But no matter what steps your firm has taken, most experts opine that a breach will nevertheless occur at some point; the question isn’t whether a it will occur, but when.
When that happens, is your firm prepared? Does your firm have breach protocols in place that comport with the latest ethical guidance? If not, here’s what you need to know about your ethical obligations after a breach or cyberattack.
There are two ethics opinions that were issued within the past year that provide a helpful roadmap for firms to follow in the event of a breach: ABA Formal Opinion 483 and Maine Opinion No. 220.
These opinions provide very similar guidance with one exception that I’ll discuss momentarily but for the purposes of this post, I’ll focus on the recommendations found in ABA opinion. Notably, the opinions only address lawyers’ ethical obligations after a data breach of information relating to representation of a client. Other post-breach notification obligations required by privacy laws and other statutory requirements — such as those imposed by the GDPR, or those that will be imposed by California Consumer Privacy Act or the New York SHIELD Act — are not addressed in the opinion.
Technology competence
At the outset, the importance of technology competence was emphasized by the ABA Standing Committee on Ethics and Professional Responsibility. The ABA Committee explained that lawyers must “understand technologies that are being used to deliver legal services to their clients … [and] must use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.” Notably, the ABA Committee explained that lawyers may outsource this requirement and that it “may be satisfied either through the lawyer’s own study and investigation or by employing or retaining qualified lawyer and nonlawyer assistants.”
How to prepare for a breach
Next, the ABA Committee addressed lawyers’ continuing ethical obligations prior to a breach occurring. The ABA Committee advised that “lawyers must make reasonable efforts to monitor their technology resources to detect
a breach … [and] should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
Importantly, the ABA Committee explained that a failure to immediately detect a breach is not a violation of ethical duties as long as a law firm has reasonably effective monitoring procedures in place: [T]he potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
Post-breach obligations
According to the ABA Committee, once a breach occurs, lawyers have an ethical obligation to:
- Act reasonably and promptly to stop the breach and mitigate damage resulting from the breach;
- Make all reasonable efforts to restore computer operations sufficient to allow the firm to again service the needs of clients;
- Conduct a post-breach investigation to determine what occurred during the data breach; and
- Evaluate data breach notice obligations as they relate to current clients.
Note that while the ABA Committee advised that former clients did not require breach notification “in the absence of a black letter provision requiring such notice,” the Maine Committee reached a different conclusion. Specifically, the Maine Committee concluded that pursuant to the Maine Rules of Professional Conduct, a “former client must be timely notified regarding a cyberattack or data breach that has, or may have, exposed the client’s confidences or secrets.”
Given the divergent conclusions on the issue of notifying former clients, if you aren’t a Maine attorney, your best bet would be to carefully review your jurisdiction’s laws, regulations, and ethical guidelines to determine whether you must notify former clients in the event of a breach.
So now that you understand your ethical obligations when it comes to law firm data breaches, it’s time to get to work. Assess your law firm’s plans for responding to a data breach and update them, if necessary.
After all, these days, breaches are a fact of life. Rather than ignoring the realities of practicing law in 2019, prepare your firm for the possibility of a breach and take reasonable steps to establish procedures that will protect your firm’s confidential client information. It’s not just the right thing to do — it’s the ethical thing to do.
Nicole Black is a Rochester, New York attorney and the Legal Technology Evangelist at MyCase, web-based law practice management software. She’s been blogging since 2005, has written a weekly column for the Daily Record since 2007, is the author of Cloud Computing for Lawyers, co-authors Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York. She’s easily distracted by the potential of bright and shiny tech gadgets, along with good food and wine. You can follow her on Twitter @nikiblack and she can be reached at [email protected].